HACKER MEDICINE

For sports fans, the most exciting time of the year is the post season. It is when the underdogs have a chance to topple the better teams in the league, or last year’s champions are trying to win it again. Depending on the sport, these events can draw a lot of viewers, whether it is a single event or a seven game series. So, its no surprise there are sites that claim to offer fans the ability to watch these events online.

Right now, we are in the midst of the NBA finals pitting some of the finest players in the league against each other in their quest to win it all. The series was just tied 2-2 before Game 5 on Sunday. On that day, some Facebook users may have seen pages offering a free live stream of the game.
 

Figure 1. Free live NBA Finals stream posted on Facebook
 

Facebook users may also see posts about NBA Finals live streams linking to a page hosted on Tumblr.
 

Figure 2. Free live NBA Finals stream page on Tumblr
 

When a user selects “YES I AGREE” on the Tumblr page they are redirected back to Facebook and asked to install an NBAFinals Facebook application.
 

Figure 3. Scam NBAFinals Facebook app, permissions request
 

This Facebook application requests access to your profile, friends list, and email address. If a user grants permission, the application will request more permissions.
 

Figure 4. Scam NBAFinals Facebook app requests additional permissions
 

In addition to posting to your friends on your behalf, the scam Facebook application requests more permissions that do not make any sense for an application to have in order to enjoy free live streaming, such as access to manage your Facebook pages.

Even worse, after the application installs, users are redirected to another Tumblr site and asked to spread the scam on Facebook before proceeding.
 

Figure 5. Scam NBA Finals site asks users to share on Facebook
 

Figure 6. NBA Finals scam spreads on Facebook
 

For the user, after all this, there is no live stream presented. Instead, users will see a video player that doesn’t work. Clicks on the video player redirects users to a plugin install page that earns the scammers money through affiliate links.
 

Figure 7. NBA Finals scam page contains no live stream
 

There are some references in the final page to other sites that claim to offer live streams of the game. These pages are not official however, and these types of streaming sites are prohibited.

For the scammers, getting the user to install their Facebook application keeps the scam going because the application posts messages to your timeline on your behalf.
 

Figure 8. Scam NBAFinals app timeline post on Facebook
 

In cooperation with Symantec, Tumblr has removed the sites associated with this scam and we have reported the application to Facebook.

Users should be aware which applications they install on Facebook, especially when looking for special features or access to websites that offer live sport streams. If it seems suspicious, most likely it is.